Sobig.F breaks speed records

The latest of version of the Sobig Internet virus, Sobig.F, is spreading faster than any virus seen before, according to UK email security firm MessageLabs.

"One email in 17 carrying the virus is the biggest we've seen," said MessageLabs chief information security analyst Paul Wood.

"Previous incarnations (of Sobig) have gradually evolved and this is now the most prevalent, in our history at least," Wood said.

The virus produced over 1 million copies within the first 24 hours, according to MessageLabs.

The virus has spread quickly due to two factors, according to Wood. The first of these is that Sobig.F can send multiple emails simultaneously, whereas previous versions of the worm sent them one at a time, "so it's very, very efficient," he said.

The second reason for the rapid spread is that a bug in previous versions has now been fixed. "The bug meant that many file names were truncated, so that they appeared as .pi instead of .pif and therefore wouldn't run. I don't know what proportion had that problem, but even if it was a third, that's a significant chunk. In this case, they've fixed that," Wood said.

The email message carrying the virus is also interesting, Wood said. "In the email header component - something you don't typically see - the message says it's been through a virus scanner and been cleaned. A private joke on their part, perhaps, and something we haven't seen before," he said.

"The sole purpose of this virus is to generate a number of insecure computers that can be taken control of at will and used to distribute spam, porn, or host Web sites," Wood said.

The spread of Sobig.F has calmed down in the past 12 hours, Wood said, but it has hit the home user and small to medium enterprise markets hard. These users are the least likely to have firewalls, mostly relying on antivirus software. "When over one million copies are seen in the first 24 hours, and the antivirus company needs, say, 12 hours to develop updates to their software, there's a big window of opportunity for the virus to take over," Wood said.

Corporations are used to blocking file extensions likely to cause trouble, so they are hit less than they would have been two or three years ago, said David Em, UK marketing manager for Network Associates' antivirus emergency response team.

Home users, on the other hand, have been badly affected, he said. "As people get broadband, and realise they need more protection, hopefully the idea of firewalls will gain currency," he said.

Small businesses have been suffering too, Em agreed. "The tricky thing is that they have an always-on connection but no dedicated IT resource to maintain protection." Antivirus companies like Network Associates are therefore focusing on automatic updates and intrusion prevention products to help small companies, he said.